inkeep · amikofalvy · Apr 7, 2026 · pullfrog · Apr 7, 2026 · pullfrog
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
@@ -40,6 +40,19 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
 
+      # Generate a GitHub App token BEFORE checkout so that actions/checkout
+      # configures git's http.extraheader with the App token. This ensures
+      # subsequent pushes use the App identity and trigger downstream CI
+      # workflows. The default GITHUB_TOKEN's commits are ignored by GitHub
+      # to prevent infinite loops.
+      - name: Generate GitHub App Token
+        id: app-token
+        if: steps.pr-check.outputs.skip != 'true'
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        with:
+          app-id: ${{ secrets.INTERNAL_CI_APP_ID }}
+          private-key: ${{ secrets.INTERNAL_CI_APP_PRIVATE_KEY }}
+
       - name: Checkout code
         if: steps.pr-check.outputs.skip != 'true'
         id: checkout
@@ -49,24 +62,15 @@ jobs:
           # On PRs, check out the PR branch so we push back to it.
           # On push, check out the default ref (main).
           ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          # Use the App token so git's extraheader authenticates as the App,
+          # ensuring pushes trigger downstream workflows.
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
-          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token || github.token }}
-          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token || github.token }}
 
       - name: Log checkout failure
         if: steps.pr-check.outputs.skip != 'true' && steps.checkout.outcome == 'failure'
         run: |
           echo "::notice::Checkout failed — branch was likely deleted (PR merged). Skipping."
 
-      # Generate a GitHub App token so that auto-commits trigger downstream CI
-      # workflows. The default GITHUB_TOKEN's commits are ignored by GitHub to
-      # prevent infinite loops.
-      - name: Generate GitHub App Token
-        id: app-token
-        if: steps.pr-check.outputs.skip != 'true' && steps.checkout.outcome == 'success'
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
-        with:
-          app-id: ${{ secrets.INTERNAL_CI_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_CI_APP_PRIVATE_KEY }}
-
       - name: Setup Node.js
         if: steps.pr-check.outputs.skip != 'true' && steps.checkout.outcome == 'success'
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
@@ -123,19 +127,12 @@ jobs:
         if: steps.pr-check.outputs.skip != 'true' && steps.checkout.outcome == 'success' && steps.changes.outputs.has_changes == 'true'
         env:
           PUSH_REF: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
-          APP_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add -u
           git commit -m "style: auto-format with biome"
 
-          # Use GitHub App token so the push triggers downstream CI workflows.
-          # The default GITHUB_TOKEN's commits are ignored by GitHub to prevent loops.
-          if [ -n "$APP_TOKEN" ]; then
-            git remote set-url origin "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
-          fi
-
           # Verify remote branch still exists before pushing
           if ! git ls-remote --exit-code --heads origin "$PUSH_REF" > /dev/null 2>&1; then
             echo "::notice::Remote branch '$PUSH_REF' no longer exists (PR likely merged). Skipping push."

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -46,11 +46,29 @@ jobs:
       GIT_AUTHOR_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com
 
     steps:
+      # Generate the App token BEFORE checkout so that actions/checkout
+      # configures git's http.extraheader with the App token. This ensures
+      # subsequent pushes (e.g. OpenAPI snapshot) use the App identity and
+      # trigger downstream CI workflows. The default GITHUB_TOKEN's commits
+      # are ignored by GitHub to prevent infinite loops.
+      - name: Generate GitHub App Token
+        id: app-token
+        if: |
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        with:
+          app-id: ${{ secrets.INTERNAL_CI_APP_ID }}
+          private-key: ${{ secrets.INTERNAL_CI_APP_PRIVATE_KEY }}
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.head_ref || github.ref }}
           fetch-depth: 0
+          # Use the App token so git's extraheader authenticates as the App,
+          # ensuring pushes trigger downstream workflows.
+          token: ${{ steps.app-token.outputs.token || github.token }}
-          token: ${{ steps.app-token.outputs.token || github.token }}
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
-          token: ${{ steps.app-token.outputs.token || github.token }}
+          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
@@ -99,19 +117,6 @@ jobs:
         env:
           HUSKY: 0
 
-      # Generate a GitHub App token so that auto-commits trigger downstream CI
-      # workflows. The default GITHUB_TOKEN's commits are ignored by GitHub to
-      # prevent infinite loops.
-      - name: Generate GitHub App Token
-        id: app-token
-        if: |
-          github.event_name == 'pull_request' &&
-          github.event.pull_request.head.repo.full_name == github.repository
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
-        with:
-          app-id: ${{ secrets.INTERNAL_CI_APP_ID }}
-          private-key: ${{ secrets.INTERNAL_CI_APP_PRIVATE_KEY }}
-
       # Auto-update OpenAPI snapshot on PRs (skip fork PRs since GITHUB_TOKEN is read-only)
       # Gate: only run when files that affect the OpenAPI spec changed.
       # These paths mirror the pre-commit hook in package.json lint-staged config.
@@ -147,14 +152,7 @@ jobs:
       - name: Commit OpenAPI snapshot if changed
         if: steps.openapi-changes.outputs.changed == 'true'
         run: |
-          # Use GitHub App token so the push triggers downstream CI workflows.
-          # The default GITHUB_TOKEN's commits are ignored by GitHub to prevent loops.
-          if [ -n "$APP_TOKEN" ]; then
-            git remote set-url origin "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
-          fi
           scripts/ci-commit-and-push.sh agents-api/__snapshots__/openapi.json "chore: update OpenAPI snapshot" "${{ github.head_ref }}"
-        env:
-          APP_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Install Playwright
         run: pnpm --filter @inkeep/agents-manage-ui exec playwright install chromium --with-deps # install browsers + dependencies for Chromium only